Two-Factor Authentication

Enterprise Edition

Starting from version 4.0, SynaMan supports Two-Factor Authentication (2FA for short), which improves security by requiring a second form of
identification besides the password.

SynaMan support two mechanisms for 2FA:

Email - The system will generate a six-digit code sent via email to a designated address. User must enter that code before continuing.

Time-based one-time temporary password (TOTP) - TOTP is an algorithm that computes a one-time password, which is typically
displayed on a mobile device owned by the user. Examples of such apps are Google Authenticator and/or Microsoft Authenticator. These apps are available for
Android as well as iOS devices.

Enabling 2FA

When a non-admin user connects to SynaMan's web interface, they will see a link for Two-Factor Authentication towards the lower right-hand corner.
The following page will allow the user to pick either TOTP or Email based 2FA.

Note

2FA is only available for non-admin users. This is done by design avoid getting locked out of the admin account. A better way to secure access
to the admin account is to restrict logins from localhost.

Using TOTP

Using TOTP requires you install an app on your mobile device that supports this algorithm. Both Android and iOS have many apps on their store that
can be used. Two such applications are Google Authenticator and Microsoft Authenticator.

SynaMan will display a QR Code that can be scanned by the app on your mobile device. Scanning this code will add an entry on your device and will display a 6-digit code
that will change every 30 seconds.

Very Important

Since TOTP is a time-based algorithm, it is very important the time on the machine is accurate. We strongly recommend synchronizing the machine time with a
time server on the Internet.

Enforcing 2FA

By default, using 2FA is not mandatory, and a user must enable this for their account. However, administrators can enforce 2FA for every account. Following
steps demonstrate how to make 2FA mandatory for every user account:

Log in as admin and click Configuration

Select the Security tab

Check Mandatory 2FA and save settings

The system will use the email mechanism to enforce 2FA. This means a code will be sent to a designated email address. End-users can switch this to TOTP if desired. A valid email address
MUST be associated with every user for this to work. If users in your system are inherited from an AD, you will see an additional field in the User Modification screen
allowing you to add an email address.

Temporarily Disabling 2FA

Administrators can temporarily disable 2FA for any user, which comes in handy if a user gets locked out. This is done from User Management screen when logged in as admin.
Click the green icon for the desired user to disable 2FA temporarily.